Pennsylvania power companies unscathed by hackers

The Brunner Island coal-burning power plant in York Haven was the third-largest source of a smog-causing pollutant in Pennsylvania in 2011, according to a Sierra Club report released this year. (John A. Pavoncello - jpavoncello@yorkdispatch.com)(Photo: The York Dispatch)Buy Photo

The good news is that hackers have not caused the lights to go out in Pennsylvania.

But have they even tried? It’s unclear. State regulators and the utilities themselves won’t discuss attempted breaches, citing security concerns.

Nationally, The Associated Press found that foreign hackers have been able to infiltrate power companies’ computer systems about a dozen times in the last decade, potentially providing an avenue to attack the network that keep the U.S. electrical grid running.

In Pennsylvania, each of the 11 regulated utilities that power the vast majority of the state’s homes and businesses is required under state law to maintain a cybersecurity plan designed to protect against intrusions into their computer networks.

Some things to know about regulators’ and utilities’ efforts to repel hacking attacks:

No major breaches: Regulated power companies such as PECO Energy, PPL Electric Utilities, West Penn Power and Duquesne Light are required to tell the Pennsylvania Public Utility Commission if hackers cause a power outage or more than $50,000 in damage. To date, the PUC has received no such reports, spokesman Nils Hagen-Frederiksen said.

However, the utilities don’t have to notify state regulators about failed hacking attempts. Hagen-Frederiksen said power companies are encouraged to share that information, but he declined to say whether the commission has received any reports about unsuccessful attacks or minor intrusions that don’t meet the reporting threshold. Nor will power companies discuss it.

Secret plans: The utilities’ cybersecurity plans are deemed “confidential and proprietary” and are exempt from Pennsylvania open-records laws. But state regulators have access to them at any time and typically review them during broader management audits that take place at least once every five years.

Like other big utilities, PPL, the state’s No. 2 power company, with 1.4 million customers in central and eastern Pennsylvania, won’t reveal the specific steps it has taken to repel hackers.

“We have a coordinated defense to protect the bulk electric system … from cyber attacks,” said spokesman Paul Wirth.

FirstEnergy Corp. of Akron, Ohio, which owns four utilities (Met-Ed, Penelec, West Penn Power and Penn Power) that serve a combined 2 million customers in Pennsylvania, issued a statement that said it “has a comprehensive plan for protecting our critical cyber assets against potential attacks.”

Federal standards: Large power companies must also comply with federal cybersecurity standards, which are enforced by the North American Electric Reliability Corp. That body has fined utilities around the country for violating cybersecurity rules, but the identities of the violators are confidential. So it’s unknown if Pennsylvania utilities have been fined.

What about the little guys? Pennsylvania has dozens of rural cooperatives and small municipally owned electric utilities that do not fall under state regulators’ jurisdiction.